Rebuilding After the Parachain Attack: A Message to Our Community

TL;DR

On October 31, 2024, an attacker exploited a malicious runtime upgrade on the Parallel parachain, resulting in the theft of over 312,185 DOT and 126,837 USDT. This event was devastating for our platform and our community. Through our tireless efforts and days and nights of hard work along with the Polkadot community, we successfully rebonded 200,000 DOT, which was separate from the main attack, back to the chain. We remain fully committed to supporting affected users, compensating losses, and strengthening the platform’s security. While some solutions depend on the approval of Referenda 1339, expected in approximately 28 days, the remaining challenges will require a longer timeframe to address. We deeply appreciate your patience and trust as we work tirelessly to rebuild and move forward stronger than ever.

Incident Overview

The attacker exploited a malicious runtime upgrade, granting themselves administrative privileges on the parachain. By November 22, they had minted unauthorized DOT and USDT tokens, taken control of various parachain features, and stolen 312,185 DOT from sovereign and staking accounts. They sold more than half of funds across multiple exchanges, transferred assets cross-chain to Moonbeam, and swapped USDT for DOT, which was then sent back to Polkadot. To cover their tracks, the attacker used new addresses, moved funds across different chains, and ultimately transferred the stolen DOT to Ethereum, where it was exchanged for ETH, BTC, and DAI. You may check out further details in this document.

Commitment to Users

This attack has shaken the trust and confidence you placed in us, and we take full responsibility for what happened. We understand the gravity of this situation, and we are committed to making things right. Our team is working day and night to address the issues caused by this incident. All technical problems will be resolved as quickly as possible. If you’ve been affected, please reach out to us through our Discord ticket system — your concerns are our top priority. Your patience and support during this difficult time mean everything to us. Together, we will overcome this challenge and emerge stronger.

Current Progress

Despite the challenges, we’ve made significant progress toward recovery. Here’s what we’ve achieved so far:

Recovery Efforts: We collaborated with the Parity team to submit Referenda 1332, which passed with a 117M DOT vote with conviction. This allowed us to rebond 200,000 DOT, a critical milestone in restoring what was lost. We want to extend a huge thank you to the Parity team and entire Polkadot community for their invaluable support — this achievement wouldn’t have been possible without them.

Restore the Sudo Right: We are diligently working on Referenda 1339, which, if passed, will regain the sudo access and fully secure the platform. This is a vital step in preventing future attacks and addressing existing user issues. Our team wrote the runtime update and thoroughly tested it to ensure its effectiveness and reliability. At this stage, we are focused on addressing community questions and rallying the additional votes needed to ensure its success. Your engagement and support are critical as we take this important step to safeguard our platform and community.

Supporting Users: Even without sufficient funds in the parachain’s sovereign account, we’ve prioritized user withdrawal requests and have personally compensated over 50 user withdrawals out of pocket. Additionally, our community manager Hulu has been diligently working to support users, answering questions, resolving concerns, and ensuring everyone affected receives the assistance they need during this challenging time.

Strengthening Security: We’ve launched a comprehensive review of potential vulnerabilities across our ecosystem, including our Ethereum-based products. To prevent future incidents, we’re also developing a real-time monitoring system to proactively address potential issues.

Tracking the Hacker: In collaboration with law enforcement and security firms, we’ve engaged over 55 exchanges to block and freeze funds tied to the attacker’s addresses. This has already prevented the movement of over 14,000 DOT. Multiple police reports have been filed across different jurisdictions, and we are working closely with authorities to recover frozen funds and pursue the hacker. We will not stop until every stolen fund is recovered and returned to its rightful owner, regardless of how many years it may take. Each step the attacker takes leaves traces, and we are confident that, with time, justice will prevail. To those who have provided information or assistance — thank you. Your support is invaluable, and we are offering a generous bounty for any information that helps us capture the attacker.

Issue and Solution

We know this incident has caused frustration, concern, and uncertainty, and we deeply regret the impact it has had on our users. Here are the six most common issues and how we’re addressing them:

1. XCM Issues

Problem: You are attempting to withdraw DOT to the relay chain but have failed to receive your funds due to the hacking incident.

Solution: Your DOT will be reminted on Parallel in the form of sDOT (becuase there are only staked DOT on our Parachain), and you will need to wait for the unstake period.

Estimated Timeline: This process will take roughly two months, as it requires Referenda 1339 to pass and your staked DOT to unstake.

2. sDOT Issues

Problem: You notice that the sDOT is either in a pending state or the unstake transaction has failed, yet you have not received the corresponding DOT.

Solution: We will remint your sDOT, allowing you to unstake again and retrieve your DOT.

Estimated timeline: This process will take roughly two months, as it requires Referenda 1339 to pass and your staked DOT to unstake.

3. Balance Missing Issues

Problem: You may have reported missing balances. This issue arose during the closure of the money market, as we needed to transfer positions from different products, which may have resulted in some positions being accidentally burned.

Solution: We understand how alarming this can be, and we will mint back your position.

Estimated timeline: This process will take roughly one and a half months, as it requires Referenda 1339 to pass and regain sudo access.

4. cDOT Issues

Problem: You are unable to redeem cDOT back to DOT.

Solution: Since we announced the closure of the crowdloan products across multiple channels (Medium, Twitter, Discord) on August 5, 2024, you will not be able to make any new redemptions. However, as a gesture of goodwill, we will offer 1,000 PARA rewards for each cDOT held by remaining cDOT holders like you, which will make you eligible to receive priority access to the new airdrop (airdrop details will be announced in Q1 2025 on X). Additionally, we will open swap pairs for cDOT/PARA and cDOT/DOT. That said, we can’t guarantee the conversion price, but we will do our best to provide liquidity for you.

Timeline: This process will take roughly two months, as it requires Referenda 1339 to pass and open relevant AMM pairs.

5. USDT Issues

Problem: You are unable to withdraw USDT back to AssetHub.

Solution: As mentioned in the incident overview, the attack maliciously stole all available USDT on our parachain, and now you cannot withdraw USDT anymore. We are actively tracking down the attack and working to recover the funds lost in the hack.

Timeline: We cannot provide a specific timeline at this moment, but please rest assured that we are doing everything we can to resolve this issue as quickly as possible.

6. Other Issues (e.g., Swap, MM, Ledger, Heiko-related)

We understand that other issues, such as swap errors, money market repayment concerns, or ledger-related problems, are frustrating. While these are not currently our highest priority, please know they are not being ignored. Once we tackle the more urgent matters, we will address these issues within the next 2–3 months and keep you updated on our progress. Your patience and trust during this time mean the world to us.

Conclusion

This exploit was a significant setback, and we deeply regret the impact it has had on our community. However, we remain fully dedicated to addressing the aftermath — prioritizing platform security, fund recovery, and supporting affected users. With a steadfast focus on accountability and transparency, we are working tirelessly to restore your confidence and protect the future of our platform. We are also willing to accept the community’s oversight as we deeply reflect, review, and learn from this incident. Both the project and our team are committed to growing through this experience, forging stronger wings to weather future storms. Thank you for standing with us during this critical time.